C/C++
title: Secure development in C/C++
audience: senior/medior developers, lead devs, testers and security champions
duration: 1 or 2 days (7 or 12 hrs education time), depending on the actual kit of topics applicable/required (see Agenda below)
We assume that the developers attending the secdev course:
- are familiar with the C/C++ language, can compile and execute the programs
- specific focus of the course (see below) may result in additional prerequisites
- DIY code and ASVS audit
Due to the variety of applications, ranging from embedded to large scale deployments, real-time and critical systems that are built in C/C++, we recommend to tailor the training for the specific needs of the particular development team.
The list of modules below illustrate the scope to choose from, however the exact scope and detail level is pre-arranged to suit the specific needs of the attendees.
- Defense in depth principles
- Standards and practices
- Various types of weaknesses and vulnerabilities
- Threat modeling
- Risk assessment
- Security by design
- Checkpoints
- Stack overflows
- Heap overflows
- String formatting issues
- Array and string indexing
- Integer overflows
- Float limitations
- Type casts
- Secure memory handling
- Safe pointers
- Removal of sensitive data
- Common errors
- Injections
- Unsafe type casts and conversions
- Regular expressions
- Validation practices
- Symmetric and asymmetric encryption
- Communication encryption
- Storage encryption
- Password handling
- Deadlocks, starvation, etc.
- Race conditions
- Accessing external resources
- Automated analysis with existing tools
- Code review
- OWASP ASVS
- Safe and unsafe APIs
- Secure libraries
- Module isolation, wrappers, etc.
Lead trainers:
Co-trainers:
Last modified 2yr ago